Actual battle domain tree deployment, Active directory series 19

The domain tree is an important improvement by Active Directory for the traditional domain model of NT4. In the domain model of the NT4 era, each domain uses a NetBIOS name that does not have a hierarchy, and there is a lack of association between domains and domains, which can only create domain trust relationships that cannot be passed. This can cause many disadvantages in enterprise management, first, it is difficult to judge each other's subordinate relationship based on domain name, such as Beijing Domain and Shanghai domain; second, because trust relationships between domains are not transitive, it takes a lot of time to create a full trust between domains in a larger number of domains. Assuming there are 10 domains, we have to establish 45 trust relationships between 10 domains to make these domains fully trusted to each other.

Domain tree for the above problems are well resolved, the domain tree between the parent and child domains because of the use of hierarchical DNS domain name, as long as the domain name we can determine the membership of two domains, For example, there are two domains abc.com and test.abc.com, and we can easily tell that the latter is a subdomain of the former. The domain tree also has a good improvement in trust relationships, and it is clearly a significant improvement in efficiency that a two-way transitive trust relationship is automatically established between domains within the domain tree.

Now that the domain tree is so important, we'll show you how to deploy a two-tier domain tree that includes both parent and child domains. The topology is shown in the following illustration, the parent domain is itet.com, and the domain controller and DNS are Florence. Subdomains are shanghai.itet.com, and domain controllers and DNS are Firenze. The parent domain has been created and we will show you how to deploy the subdomain. It is easier to deploy if both the parent and child domains use the same DNS server. However, we consider that it is possible for the subdomain to have a separate domain resolution right, so that a lot of work will be easier to carry out, so we decided to set up a separate DNS server in the subdomain.

One DNS delegation

First, we want to consider DNS delegation issues. At present, Itet.com's analytic power is Florence, that is to say Florence can parse all the domain names ending with itet.com. If we want Firenze to be able to parse shanghai.itet.com, then we have to delegate Firenze on Florence, and authorization Firenze can parse shanghai.itet.com. We open DNS Manager on Florence, as shown in the following illustration, right click on itet.com and select "New delegation".